[mdlug] ACLs difficult to administer?

[Jonathan Billings]

On Oct 11, 2008, at 12:58 PM, Dean Durant wrote:

> Hello, say the usual format of ugo (user, group, other) isn't  
> sufficient in a certain situation.     You need multiple groups with  
> multiple sets of different permissions.    You can do it with  
> ACLs.    Are ACLs hard to manage?    Is NTFS any better?   Why might  
> someone say so?     What is the tie-in with samba?   If someone says  
> ntfs is easier, are they just being lazy?    Thanks,

I think NTFS users aren't really lazier, it's just they have a  
filesystem with ACLs that is more fully capable than what most Linux  
users are familiar with.  While it's possible to use POSIX ACLs on  
ext3 filesystems, how often do people use them?

ACLs can give you the ability to have more than one user and group  
assigned to a file or directory.  Sure, as others have mentioned, you  
can have complex listings in groups, but honestly, I believe that's  
just a hack to get around the fact that the user/group/other method of  
defining access to files and directories isn't sufficient for complex  
situations.  NTFS ACLs can be tied to users and groups in the AD  
domain as well as local user/groups, unlike UNIX permissions.

I think the advantage you can get with ACLs on an SMB volume is that  
they can be tied to an authenticated user.  NFS with normal UNIX  
groups, on the other hand, are purely based on the numeric value of  
the local users and groups on the client.  If the user has root on the  
client, they can easily pretend to be whatever user or group they see  
on the server.  There are ways to secure NFS with Kerberos, but it's  
rarely used.

ACLs are pretty useful if you have them.  Unfortunately, I don't think  
that Windows users really know about them or use them, but it's pretty  
useful if you're a windows admin.  I know I use AFS ACLs quite often  
on Linux and Solaris systems, and they're quite powerful.

--
Jonathan Billings <billings at negate.org>